Ubuntu
freetype package

Invalid free called during libfreetype FT_Done_Glyph

Bug #2059852 reported by M Schoenefeld
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freetype (Ubuntu)
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned

Bug Description

A fuzzed font file triggers an invalid free operation. Current upstream 2.13 was not observed crashing with input.

==1793660== Memcheck, a memory error detector
==1793660== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1793660== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==1793660== Command: ftgrid 12 ftgrid_invalid_free_shown_by_valgrind.ttf
==1793660==
==1793660== Argument 'size' of function malloc has a fishy (possibly negative) value: -205496320
==1793660== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:412)
==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:580)
==1793660== by 0x10F09A: main (ftgrid.c:1818)
==1793660==
==1793660== Invalid free() / delete / delete¡¿ / realloc()
==1793660== at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x48C2EC3: UnknownInlinedFun (ftutil.c:173)
==1793660== by 0x48C2EC3: FT_Bitmap_Done (ftbitmap.c:1169)
==1793660== by 0x48C5947: FT_Done_Glyph (ftglyph.c:650)
==1793660== by 0x10F1A0: UnknownInlinedFun (ftgrid.c:589)
==1793660== by 0x10F1A0: main (ftgrid.c:1818)
==1793660== Address 0x5292040 is 0 bytes inside a block of size 58,519,576 free'd
==1793660== at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x10F18A: UnknownInlinedFun (ftgrid.c:586)
==1793660== by 0x10F18A: main (ftgrid.c:1818)
==1793660== Block was alloc'd at
==1793660== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1793660== by 0x48BDB08: ft_mem_qrealloc (ftutil.c:145)
==1793660== by 0x48BF04D: ft_mem_realloc (ftutil.c:101)
==1793660== by 0x491815B: ft_smooth_render.lto_priv.0 (ftsmooth.c:475)
==1793660== by 0x48BD24C: FT_Render_Glyph_Internal (ftobjs.c:4721)
==1793660== by 0x48C8A2F: FT_Glyph_To_Bitmap (ftglyph.c:596)
==1793660== by 0x11A67E: FTDemo_Glyph_To_Bitmap (ftcommon.c:1365)
==1793660== by 0x10DCC1: UnknownInlinedFun (ftgrid.c:575)
==1793660== by 0x10DCC1: main (ftgrid.c:1818)
==1793660==

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368
3368 ./malloc/malloc.c: No such file or directory.
(gdb) bt
£0 0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368
£1 0x00007ffff7ebeec4 in ft_mem_free (P=<optimized out>, memory=<optimized out>) at ./src/base/ftutil.c:173
£2 FT_Bitmap_Done (library=<optimized out>, bitmap=0x5555555a25e0) at ./src/base/ftbitmap.c:1169
£3 0x00007ffff7ec1948 in FT_Done_Glyph (glyph=0x5555555a25b0) at ./src/base/ftglyph.c:650
£4 0x000055555555b1a1 in grid_status_draw_outline (st=0x5555555703e0 <status>, display=<optimized out>, handle=<optimized out>)
    at ./ft2demos/src/ftgrid.c:589
£5 main (argc=<optimized out>, argv=<optimized out>) at ./ft2demos/src/ftgrid.c:1818

$ apt-cache policy libfreetype6
libfreetype6:
  Installed: 2.11.1+dfsg-1ubuntu0.2
  Candidate: 2.11.1+dfsg-1ubuntu0.2
  Version table:
 *** 2.11.1+dfsg-1ubuntu0.2 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.11.1+dfsg-1build1 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

Description: Ubuntu 22.04.3 LTS
Release: 22.04

Revision history for this message
M Schoenefeld (msch0815) wrote :
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi, thanks for the time you take to report this bug.

Could you provide any ways to test it?
I did some few tests using pygame python lib and freetype that used libfreetype and so. The results i got was that the text is not showed when using the font you provided, but no crash. Sounds like a 'silently' bug at a first glance. So, yep, it affects jammy. Further investigation is need to figure out if there is any commit already for that issue, if it known one.

Revision history for this message
M Schoenefeld (msch0815) wrote :

My fuzzing harness is the ftgrid tool:

ftgrid 12 ftgrid_invalid_free_shown_by_valgrind.ttf
Segmentation fault

The root cause seems related to calling FT_Glyph_To_Bitmap (as in the crash log). So my suggested approach to reproduce that with another tool than ftgrid would be to first check if my test harness at all triggers the above API call (set a breakpoint there in gdb and verify if it hits).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is the patch that fixes this issue:

https://gitlab.freedesktop.org/freetype/freetype-demos/-/commit/794730a046e33deb9f77660bc424d84862a6270d

Can I make this bug public?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

(another possibly-related commit: https://gitlab.freedesktop.org/freetype/freetype-demos/-/commit/d2dcacab13a86db288cfb4dfbd856047365cd09b )

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ping, can I make this bug public?

Revision history for this message
M Schoenefeld (msch0815) wrote :

Sure, please go ahead.

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.